[Security] Fixes CSRF vulnerability, introduced by 53eef4f

Reported by SourceClear, Inc.
railsadminteam · Dec 25, 2016 · b13e879 · b13e879 · Bartuz · Apr 12, 2017
1 parent 464440c
commit b13e879
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/app/controllers/rails_admin/application_controller.rb b/app/controllers/rails_admin/application_controller.rb
@@ -11,6 +11,8 @@ class ActionNotAllowed < ::StandardError
   end
 
   class ApplicationController < Config.parent_controller.constantize
+    protect_from_forgery with: :exception
+
     before_action :_authenticate!
     before_action :_authorize!
     before_action :_audit!

diff --git a/spec/integration/rails_admin_spec.rb b/spec/integration/rails_admin_spec.rb
@@ -148,4 +148,17 @@
       is_expected.to have_selector('.label-danger')
     end
   end
+
+  describe 'CSRF protection' do
+    before do
+      allow_any_instance_of(ActionController::Base).to receive(:protect_against_forgery?).and_return(true)
+    end
+
+    it 'is enforced' do
+      visit new_path(model_name: 'league')
+      fill_in 'league[name]', with: 'National league'
+      find('input[name="authenticity_token"]', visible: false).set("invalid token")
+      expect { click_button 'Save' }.to raise_error ActionController::InvalidAuthenticityToken
+    end
+  end
 end